diff options
author | John Christopher Anderson <jchris@apache.org> | 2010-02-01 22:51:15 +0000 |
---|---|---|
committer | John Christopher Anderson <jchris@apache.org> | 2010-02-01 22:51:15 +0000 |
commit | ee8a76e1cad33831448dbf12a394c51aa65230f4 (patch) | |
tree | 37e50fb2b43d4bb01b55fa8d1c05cda965b4dc4d /share/www/script/test/security_validation.js | |
parent | 8c381ee8de4c43e84f937584a2b3cd5923602057 (diff) |
Database-level security.
This patch builds on the DB-admins feature to store lists of database admin and reader names and roles, as well as a security object which can be used for configuration in validation functions.
git-svn-id: https://svn.apache.org/repos/asf/couchdb/trunk@905436 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'share/www/script/test/security_validation.js')
-rw-r--r-- | share/www/script/test/security_validation.js | 38 |
1 files changed, 34 insertions, 4 deletions
diff --git a/share/www/script/test/security_validation.js b/share/www/script/test/security_validation.js index 43968426..9ecb9ba0 100644 --- a/share/www/script/test/security_validation.js +++ b/share/www/script/test/security_validation.js @@ -69,7 +69,13 @@ couchTests.security_validation = function(debug) { var designDoc = { _id:"_design/test", language: "javascript", - validate_doc_update: "(" + (function (newDoc, oldDoc, userCtx) { + validate_doc_update: "(" + (function (newDoc, oldDoc, userCtx, secObj) { + if (secObj.admin_override) { + if (userCtx.roles.indexOf('_admin') != -1) { + // user is admin, they can do anything + return true; + } + } // docs should have an author field. if (!newDoc._deleted && !newDoc.author) { throw {forbidden: @@ -99,11 +105,11 @@ couchTests.security_validation = function(debug) { } // set user as the admin - T(db.setDbProperty("_admins", ["Damien Katz"]).ok); + T(db.setDbProperty("_admins", {names : ["Damien Katz"]}).ok); T(userDb.save(designDoc).ok); - // test the _whoami endpoint + // test the _session API var resp = userDb.request("GET", "/_session"); var user = JSON.parse(resp.responseText).userCtx; T(user.name == "Damien Katz"); @@ -158,6 +164,31 @@ couchTests.security_validation = function(debug) { T(e.error == "unauthorized"); T(userDb.last_req.status == 401); } + + // admin must save with author field unless admin override + var resp = db.request("GET", "/_session"); + var user = JSON.parse(resp.responseText).userCtx; + T(user.name == null); + // test that we are admin + TEquals(user.roles, ["_admin"]); + + // can't save the doc even though we are admin + var doc = db.open("testdoc"); + doc.foo=3; + try { + db.save(doc); + T(false && "Can't get here. Should have thrown an error 3"); + } catch (e) { + T(e.error == "unauthorized"); + T(db.last_req.status == 401); + } + + // now turn on admin override + T(db.setDbProperty("_security", {admin_override : true}).ok); + T(db.save(doc).ok); + + // go back to normal + T(db.setDbProperty("_security", {admin_override : false}).ok); // Now delete document T(user2Db.deleteDoc(doc).ok); @@ -188,7 +219,6 @@ couchTests.security_validation = function(debug) { T(db.open("booboo") == null); T(db.open("foofoo") == null); - // Now test replication var AuthHeaders = {"WWW-Authenticate": "X-Couch-Test-Auth Christopher Lenz:dog food"}; var host = CouchDB.host; |